title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
    Often, this event can be generated by attackers when searching for available windows servers in the network.
status: experimental
tags:
    - attack.lateral_movement
    - attack.t1076          # an old one
    - attack.t1021.001
references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020/06/27
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4825
    condition: selection
fields:
    - EventCode
    - AccountName
    - ClientAddress
falsepositives:
    - Valid user was not added to RDP group
level: medium